Home OpenWrt vulnerability puts routers and other embedded devices at risk
News

OpenWrt vulnerability puts routers and other embedded devices at risk

Nathan Wasson Former Gaming & Tech Journalist Author expertise
Disclosure
Disclosure
In our content, we occasionally include affiliate links. Should you click on these links, we may earn a commission, though this incurs no additional cost to you. Your use of this website signifies your acceptance of our terms and conditions as well as our privacy policy.

Yesterday, ForAllSecure published a blog post by Guido Vranken detailing a vulnerability in OpenWrt, a Linux-based operating system for embedded devices that route network traffic. The vulnerability is found in OpenWrt’s opgk utility, which is used to install or update software. opkg pulls lists of installation packages from the OpenWrt website via an unencrypted HTTP connection. The package lists are digitally signed with a SHA256 hash by the OpenWrt maintainers, which the opkg installer checks to ensure the package list has not been tampered with.

However, there is a bug in the code that runs this check. A leading space in the checksum will cause opkg to skip the code that checks the integrity of the package and go straight to installation. Thus, a remote man-in-the-middle attacker could intercept the transmission of package lists and replace a package with a malicious one. The malicious package could then bypass the check, giving the attacker control over the device and the network traffic routed through it. Vranken explains how such a package could be created:

The sole constraint to reckon with is that the file size of compromised package must match the Size field in the package list.

Doing this is trivial:

  • Create a package that is smaller than the original
  • Compute the size difference between the original package and the compromised package
  • Append this amount of zero bytes to the end of the compromised package

According to Vranken, this bug appeared all the way back in February of 2017. The vulnerability appears in the National Vulnerability Database and the Common Vulnerabilities and Exposures system as CVE-2020-7982, and has a vulnerability score of 8.1 (high). OpenWrt was alerted to the vulnerability and has released updates that contain a fix. Devices running OpenWrt should be updated to the latest version of the operating system or should have their opkg packages updated.

AFFECTED VERSIONS

To our knowledge, OpenWrt versions 18.06.0 to 18.06.6 and 19.07.0 as well as LEDE 17.01.0 to 17.01.7 are affected. The fixed packages are integrated in the OpenWrt 18.06.7, OpenWrt 19.07.1 and subsequent releases.

The Tech Report - Editorial ProcessOur Editorial Process

The Tech Report editorial policy is centered on providing helpful, accurate content that offers real value to our readers. We only work with experienced writers who have specific knowledge in the topics they cover, including latest developments in technology, online privacy, cryptocurrencies, software, and more. Our editorial policy ensures that each topic is researched and curated by our in-house editors. We maintain rigorous journalistic standards, and every article is 100% written by real authors.

Question & Answers (5)

Have a question? Our panel of experts will answer your queries. Post your Question
  1. Thanks for the hot tip. I spent the afternoon updating my Linksys WRT1900AC bios. I’m glad I did, there are some new features with the new bios.

  2. I dunk my router in hot soapy water for a thorough cleaning at least 5 times a day.

    This router is fully protected from Coronavirus and any men in the middle!

      • Nice try Krogoth.

        But here at Intel we have now ascended to a higher plane of existence where we cancel support for OTHER PEOPLE’S products.

Leave a Reply

Write a Review

Your email address will not be published. Required fields are marked *

Nathan Wasson Former Gaming & Tech Journalist

Nathan Wasson Former Gaming & Tech Journalist

Nathan Wasson is a talented writer whose true passion lies in the realm of online games. At the Tech Report, Nathan kept the audience up-to-date with all things gaming, including the latest game reviews, console updates, and the latest and greatest in the gaming landscape